Context Committing Security of Leveled Leakage-Resilient AEAD
(2024) In IACR Transactions on Symmetric Cryptology 2024(2). p.348-370- Abstract
- During recent years, research on authenticated encryption has been thriving through two highly active and practice-motivated research directions: provably secure leakage-resilience schemes and key- or context-commitment security. However, the intersection of both fields had been overlooked until very recently. In ToSC 1/2024, Struck and Weish\"aupl studied generic compositions of Encryption schemes and Message Authentication Codes for building committing leakage-resilient schemes. They showed that, in general, Encrypt-then-MAC (EtM) and MAC-then-Encrypt (MtE) are not committing while Encrypt-and-MAC (EaM) is under plausible and weak assumptions on the components. However, real-world schemes are rarely strict black-box constructions.... (More)
- During recent years, research on authenticated encryption has been thriving through two highly active and practice-motivated research directions: provably secure leakage-resilience schemes and key- or context-commitment security. However, the intersection of both fields had been overlooked until very recently. In ToSC 1/2024, Struck and Weish\"aupl studied generic compositions of Encryption schemes and Message Authentication Codes for building committing leakage-resilient schemes. They showed that, in general, Encrypt-then-MAC (EtM) and MAC-then-Encrypt (MtE) are not committing while Encrypt-and-MAC (EaM) is under plausible and weak assumptions on the components. However, real-world schemes are rarely strict black-box constructions. Instead, while various leakage-resilient schemes follow blueprints inspired by generic compositions, they often tweak them for security and/or efficiency reasons.
We show that with careful selection of the underlying primitives such as equal encryption and authentication keys as well as a collision-resistant PRF as the MAC, these blueprints are committing. Our results do not contradict the results by Struck and Weishäupl since we pose more, but practically-motivated, requirements on the components. We demonstrate the practical relevance of our results by showing that our results on those blueprints allow to easily derive proofs that several state-of-the-art leakage-resilient schemes are indeed committing, including TEDT and its descendants TEDT2 and Romulus-T, as well as the single-pass scheme Triplex. (Less)
Please use this url to cite or link to this publication:
https://lup.lub.lu.se/record/8e864e7f-56f5-4d10-adfe-3469614f4c79
- author
- Dhar, Chandranan ; Ethan, Jordan ; Jejurikar, Ravindra ; Khairallah, Mustafa LU ; List, Eik and Mandal, Sougata
- organization
- publishing date
- 2024-06-18
- type
- Contribution to journal
- publication status
- published
- subject
- in
- IACR Transactions on Symmetric Cryptology
- volume
- 2024
- issue
- 2
- pages
- 348 - 370
- publisher
- Ruhr-Universität Bochum
- external identifiers
-
- scopus:85197282999
- ISSN
- 2519-173X
- DOI
- 10.46586/tosc.v2024.i2.348-370
- language
- English
- LU publication?
- yes
- id
- 8e864e7f-56f5-4d10-adfe-3469614f4c79
- date added to LUP
- 2024-05-03 09:14:51
- date last changed
- 2025-10-14 12:10:01
@article{8e864e7f-56f5-4d10-adfe-3469614f4c79,
abstract = {{During recent years, research on authenticated encryption has been thriving through two highly active and practice-motivated research directions: provably secure leakage-resilience schemes and key- or context-commitment security. However, the intersection of both fields had been overlooked until very recently. In ToSC 1/2024, Struck and Weish\"aupl studied generic compositions of Encryption schemes and Message Authentication Codes for building committing leakage-resilient schemes. They showed that, in general, Encrypt-then-MAC (EtM) and MAC-then-Encrypt (MtE) are not committing while Encrypt-and-MAC (EaM) is under plausible and weak assumptions on the components. However, real-world schemes are rarely strict black-box constructions. Instead, while various leakage-resilient schemes follow blueprints inspired by generic compositions, they often tweak them for security and/or efficiency reasons.<br/><br/>We show that with careful selection of the underlying primitives such as equal encryption and authentication keys as well as a collision-resistant PRF as the MAC, these blueprints are committing. Our results do not contradict the results by Struck and Weishäupl since we pose more, but practically-motivated, requirements on the components. We demonstrate the practical relevance of our results by showing that our results on those blueprints allow to easily derive proofs that several state-of-the-art leakage-resilient schemes are indeed committing, including TEDT and its descendants TEDT2 and Romulus-T, as well as the single-pass scheme Triplex.}},
author = {{Dhar, Chandranan and Ethan, Jordan and Jejurikar, Ravindra and Khairallah, Mustafa and List, Eik and Mandal, Sougata}},
issn = {{2519-173X}},
language = {{eng}},
month = {{06}},
number = {{2}},
pages = {{348--370}},
publisher = {{Ruhr-Universität Bochum}},
series = {{IACR Transactions on Symmetric Cryptology}},
title = {{Context Committing Security of Leveled Leakage-Resilient AEAD}},
url = {{http://dx.doi.org/10.46586/tosc.v2024.i2.348-370}},
doi = {{10.46586/tosc.v2024.i2.348-370}},
volume = {{2024}},
year = {{2024}},
}